1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Zone Based Firewall

Discussion in 'Routing & Switching' started by Robt800, May 25, 2011.

  1. Robt800

    Robt800 Bit Poster

    21
    0
    2
    I've been tasked with setting up a ZFW on a cisco 877. I've read quite a few articles on it & it seems pretty simple - a nice 5 step plan!

    Something isn't quite right - when I implement the firewall no traffic comes through!

    Starting to go round in circles a little - would someone mind having a look over my config please?

    Thanks

    Rob
     

    Attached Files:

    Last edited by a moderator: May 25, 2011
  2. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    Hi

    Did you write these rules manually?

    Cheers

    Joe
     
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  3. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Yes. Wasn't sure if I needed the zone-pairs involving the 'self zone' but put these in when I still didn't have traffic flow
    Cheers

    Rob
     
  4. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    I normally use SDM to configure the ZBF then tweak as required. I find doing it manually a right royal pain.

    Do you know which traffic you want to:
    pass
    drop
    inspect
    from the inside to outside zone?

    Which traffic do you want to:
    pass
    drop
    inspect
    from the outside to the inside

    Cheers

    Joe
     
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  5. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Yep basically, pass following (incoming & outgoing):
    https
    3389
    smtp

    Then block everything else

    Cheers

    Rob
     
  6. Robt800

    Robt800 Bit Poster

    21
    0
    2
    a little bit more info: as soon as I add 'match protocol tcp' to the class-maps - hey presto the ports open. Problem is it opens up everything else! I.e. its then only the natting that offers any security.

    Any suggestions please?
     
  7. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    post the config and ill take a look
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)

Share This Page

Loading...